US8700891B2 - Preserving security association in MACsec protected network through VLAN mapping - Google Patents
Preserving security association in MACsec protected network through VLAN mapping Download PDFInfo
- Publication number
- US8700891B2 US8700891B2 US12/463,204 US46320409A US8700891B2 US 8700891 B2 US8700891 B2 US 8700891B2 US 46320409 A US46320409 A US 46320409A US 8700891 B2 US8700891 B2 US 8700891B2
- Authority
- US
- United States
- Prior art keywords
- tag
- data packet
- based authentication
- protocol
- role based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
Definitions
- This description relates to the communication of information via a network, and more specifically to preserving role based security association in a protected network.
- the I.E.E.E. (Institute of Electrical and Electronics Engineers) 802.1 AE (MACsec) standard specifies a set of protocols to meet the security requirements for protecting data traversing local area networks (LANs).
- MACsec allows unauthorized LAN connections to be identified and excluded from communication within the network.
- IPsec Internet Protocol Security
- SSL Secure Sockets Layer
- MACsec defines a security infrastructure to provide data confidentiality, data integrity and data origin authentication. By assuring that a frame or packet comes from the network device that claimed to send it, MACsec can mitigate attacks on the networking Layer 2 protocols.
- a MACsec enabled network often includes a network that is substantially in compliance with the MACsec standard, their derivatives, or predecessors (hereafter, “the MACsec standard” or “802.1 AE standard”).
- the MACsec standard or “802.1 AE standard”.
- IEEE Computer Society IEEE Standard for Local and metropolitan area networks, Media Access Control ( MAC ) Security ), IEEE Std. 802.1 AETM-2006 (18 Aug. 2006).
- a virtual LAN is often a group of hosts or network devices that communicate as if they were attached to the same broadcast domain, regardless of their physical location.
- a VLAN frequently has the same high-level attributes as a physical LAN, but it allows for end stations or network devices to be grouped together even if they are not located on the same network switch. Furthermore, often network reconfiguration can be done through software instead of physically relocating devices. VLANs are frequently useful if one wants to create multiple Layer 3 networks on the same Layer 2 switch.
- a VLAN enabled network often includes a network that is substantially in compliance with the VLAN standard, their derivatives, or predecessors (hereafter, “the VLAN standard” or “802.1Q standard”). IEEE Computer Society, IEEE Standard for Local and metropolitan area networks, Virtual Bridged Local Area Networks , IEEE Std. 802.1QTM-2005 (19 May 2006).
- a method of using a network device may include receiving, via an ingress port, a data packet that includes a payload portion, a source network address and a destination network address. In various embodiments, the method may also include determining if the data packet includes a security tag that includes a role based authentication tag. In some embodiments, the method may include, if the data packet includes a security tag that includes a role based authentication tag, transmitting, via an egress port, at least the payload portion and the role based authentication tag towards, in a topological sense, the destination network address.
- an apparatus may include an ingress port, a processor, and an egress port.
- the ingress port may be configured to receive a data packet that includes a payload portion, a source network address and a destination network address.
- the processor may be configured to determine if the data packet includes a security tag that includes a role based authentication tag.
- the egress port may be configured to, if the data packet includes a security tag that includes a role based authentication tag, transmit at least the payload portion and the role based authentication tag towards, in a topological sense, the destination network address.
- a computer program product for communicating information, the computer program product being tangibly embodied on a computer-readable medium and including executable code that, when executed, is configured to cause a network apparatus to receive, via an ingress port, a data packet that includes a payload portion, a source network address and a destination network address.
- the executable code may cause the network apparatus to determine if the data packet includes a security tag that includes a role based authentication tag.
- the executable code may cause the network apparatus to, if the data packet includes a security tag that includes a role based authentication tag, transmit, via an egress port, at least the payload portion and the role based authentication tag towards, in a topological sense, the destination network address.
- FIG. 1 is a block diagram of an example embodiment of a known system that may be used in accordance with the disclosed subject matter.
- FIG. 2 is a block diagram of an example embodiment of a system in accordance with the disclosed subject matter.
- FIG. 3 is a block diagram of an example embodiment of a system in accordance with the disclosed subject matter.
- FIG. 4 is a block diagram of example embodiments of data packets in accordance with the disclosed subject matter.
- FIG. 5 is a flow chart of an example embodiment of a technique in accordance with the disclosed subject matter.
- FIG. 1 is a block diagram of an example embodiment of a known system 100 that may be used accordance with the disclosed subject matter.
- a user 102 or client device 104 may attempt to access a protected or restricted network 101 that restricts access to the network 101 and/or the resources provided by the network.
- the protected or restricted network 101 may include an access point 106 , a one or more switches or routing network devices (e.g., switches 108 or 108 a ), an authentication server or entity 110 , and at least one server 114 .
- the authentication server or entity 110 may utilize a database 112 to authenticate the supplicant 103 .
- the server 114 may provide access to information or data 116 .
- the supplicant 103 may desire access to the network 101 .
- the supplicant 103 may interact with the perimeter (in a topological sense) of the network 101 via the access point (AP) 106 .
- the AP 106 may include a wired or wireless AP.
- the AP 106 may ignore or drop any communications traffic from the supplicant 103 except authentication traffic.
- the AP 106 may forward any authentication traffic, authentication path 120 , to the Authentication server 110 .
- a path may include a number of network links (e.g., the link between the AP 106 and switch 108 , or the link between the switch 108 and the authentication server 110 , etc.).
- the authentication server 110 may employ or use one or more network authentication protocols, such as, for example Remote Authentication Dial In User Service (RADIUS), Diameter, or Terminal Access Controller Access-Control System Plus (TACACS+); although, it is understood that the above are merely a few illustrative examples to which the disclosed subject matter is not limited.
- the authentication server 110 may employ various database 112 schemes to authenticate the supplicant 103 .
- One such scheme may include Lightweight Directory Access Protocol (LDAP); although, it is understood that the above is merely one illustrative example to which the disclosed subject matter is not limited.
- LDAP Lightweight Directory Access Protocol
- the authentication server 110 may report back to the AP 106 or supplicant 103 with the results of the authentication attempt. Assuming the supplicant 103 has been properly authenticated and given the right to access the network 101 , the AP 106 may then note the level of access rights given to the supplicant 103 . In various embodiments, this may be done by associating the network address (e.g., Internet Protocol (IP) address) of the supplicant 103 with a rights scheme or level.
- IP Internet Protocol
- this may be problematic in many environments as supplicants (e.g., laptops, smart phones, etc.) become more mobile and are likely to change their IP addresses while still desiring access to the network 101 .
- the supplicant 103 may then wish to access the network 101 or data (e.g., data 116 ) thereon.
- the supplicant 103 may perform a user data communication requesting data 116 , for example.
- the AP 106 may determine if the supplicant 103 has the proper access privileges or rights to access the data 116 . In some embodiments, the AP 106 may make this determination based upon an Access Control List (ACL) 118 stored by the AP 106 . If the supplicant 103 may access the data 116 , the AP 106 may provide access via access path 122 that includes switch or routing network device 108 a , server 114 , and data 116 .
- ACL Access Control List
- the gating of supplicant 103 access to specific resources is done at the perimeter of the network 101 (e.g., AP 106 ).
- any change in access privileges need to be pushed from the core of the network (e.g., server 114 , authentication server 110 , etc.) to the perimeter (e.g., AP 106 ).
- the core of the network e.g., server 114 , authentication server 110 , etc.
- the perimeter e.g., AP 106
- the APs are widely distributed geographically updates to the ACLs may occur at different rates, such that, the ACLs across the network 101 perimeter are no longer synchronized.
- FIG. 2 is a block diagram of an example embodiment of a system 200 in accordance with the disclosed subject matter.
- the system 200 may include a plurality of supplicants (e.g., supplicants 103 , 103 a , and 103 b ), and a protected or restricted network 101 .
- the network 101 may include an access point (AP) 106 , one or more routing network devices (e.g., switches 108 and 108 a ), and a plurality of servers (e.g., servers 114 , 114 a , and 114 b ).
- the network 101 may also include an authentication server 110 , a database 112 , and various data (e.g., data 116 , 116 a , 116 b ).
- a supplicant 103 may desire access to the network 101 .
- the authentication server 110 may assign a role to the supplicant (e.g., administrator, employee, contractor, etc.). In such an embodiment, this role may be encoded into or associated with the user data messages or communication sent by the supplicant.
- the supplicant 103 may be assigned an “admin” role.
- the supplicant's specific privileges may not be checked at the network periphery (e.g., AP 106 ), but instead at the network device (e.g., server 114 ) that controls the data.
- the server 114 may maintain its own ACL 216 that bases access rights on the supplicant's 103 assigned role and not the supplicant's 103 network address.
- the ACL 218 may be configured to allow access to the data 116 a by any supplicant bearing the “admin” role.
- the supplicant 103 a (including user 102 a and/or client 104 a ) may be assigned an “employee” role by the authentication server 110 .
- the supplicant 103 a may attempt to access data 116 a via access path 222 a .
- supplicant 103 a 's access to the data 116 a may be gated by the server 114 a and the ACL 218 a maintained or stored by the server 114 a .
- the ACL 218 a may be configured to allow access to the data 116 a by any supplicant bearing the “employee” or “admin” roles.
- the supplicant 103 a may attempt to access data 116 .
- data 116 may be administrator level data, for example.
- the server 114 may determine (e.g., via ACL 218 ) whether or not supplicant 103 a is authorized or assigned a role corresponding with the access privileges detailed in the ACL 218 .
- the supplicant 103 a has been assigned the wrong role (e.g., the “employee” role) and, therefore, supplicant 103 a 's access may be blocked by the server 114 .
- the supplicant 103 b may be assigned a “contractor” role by the authentication server 110 .
- the supplicant 103 b may attempt to access data 116 b via access path 222 b .
- supplicant 103 b 's access to the data 116 b may be gated by the server 114 b and the ACL 218 b maintained or stored by the server 114 b .
- the ACL 218 a may be configured to allow access to the data 116 a by any supplicant bearing the “contractor”, “employee”, or “admin” roles.
- supplicant 103 b bearing or being assigned only the “contractor” role may be unable to access data 116 or 116 a.
- the AP 106 may still perform a high-level access rights check to confirm that a supplicant is allowed on the network 101 at all, for example.
- a distributed access control scheme (e.g., ACLs, etc.) may be employed by a network.
- ACLs e.g., ACLs, etc.
- servers or other network devices e.g., switches or routers
- this may allow a tiered access scheme; although, it is understood that the above are merely a few illustrative examples to which the disclosed subject matter is not limited.
- the role based authentication or security tag may be included as part of a MACsec SecTag, as described above. In another embodiment, such a role based authentication or security tag may be included as part of a virtual local access network (VLAN) header or tag, as described below.
- VLAN virtual local access network
- FIG. 4 is a block diagram of example embodiments of data packets 401 and 403 in accordance with the disclosed subject matter.
- the data packet 401 may include a destination address 402 , a source address 404 , a payload portion 408 , and a MACsec SecTag 406 .
- the data packet 403 may include a destination address 402 , a source address 404 , a payload portion 408 , and a VLAN header or tag 492 . It is understood that while the term “packet” is used in this embodiment, other embodiments may include other forms or data formatting (e.g., frames, etc.).
- the destination address 402 may include the network address of the substantially final network device (e.g., server, client, etc.) for whom the packet 401 or at least the payload portion 408 is destined.
- the source address 404 may include the network address of the substantially first or originating network device (e.g., server, client, etc.) from whom the packet 401 or at least the payload portion 408 was originally sent.
- the source address 404 and destination address 402 may represent intermediate network devices along the path from the ultimate source and destination.
- the payload portion 408 may include the data that the source network device (e.g., client, server, etc.) seeks to communicate with the destination source network device. It is also understood that, in various embodiments, the payload portion 408 may include an encapsulated payload portion and that ultimately it may be this encapsulated payload portion (in an un-encapsulated format) that is transmitted to the destination. In various embodiments, the payload portion 408 may include one or more nested headers or footers and ultimately the data payload, as is often done in many network protocols.
- the term “payload portion” includes that un-encapsulated data that is ultimately communicated (or attempted to be communicated) to the destination network device.
- the data packet 401 and/or data packet 403 may include error correction data or information. In various embodiments, this may include an Integrity Check Value (ICV) 410 and/or a frame check sequence (FCS) 412 . In one embodiment, the ICV portion 410 and/or FCS portion 412 may include checksums to facilitate the correct and error-free transmission of the data or payload portion 408 or sub-portion of the data packet across the network.
- ICV Integrity Check Value
- FCS frame check sequence
- the ICV portion 410 may be employed to authenticate the integrity of the destination MAC address 402 and source MAC address 404 parameters, as well as all the fields of the MACsec Protocol Data Unit (MPDU).
- the MPDU may include the MACsec SecTag 406 , Payload 408 and ICV 410 itself.
- the ICV portion 410 may be required by the I.E.E.E. 802.1 AE standard and included in any security tag that is substantially compatible with the I.E.E.E. 802.1 AE standard.
- the ICV portion 410 may provide integrity protection of the role based security tag.
- the ICV portion 410 may include a value that is derived by performing an algorithmic transformation on the data unit, payload portion, other portions for which data integrity services are provided.
- the ICV portion 410 may be, in one embodiment, sent with the protected payload portion 408 or MPDU and may be recalculated and compared by the receiver to detect data modification.
- the data packet 401 may include a MACsec SecTag 406 .
- the MACsec SecTag 406 may include a protocol header, comprising a number of octets and beginning with an EtherType portion 422 , that is prepended to the payload portion 408 supplied by the client of the protocol, and is used to provide security guarantees.
- the MACsec SecTag 406 may include an implementation or embodiment of the MACsec 892.1 AE standard that provides link layer security for an Ethernet network.
- the 892.1 AE standard may specify the protocol to establish and identify a security association for the data packet 401 .
- the MACsec Tag 406 may further define or indicate the algorithm and format employed to protect the confidentiality and integrity of the data packet 401 on a point-to-point or shared media based network. As described above, MACsec security association is typically negotiated on a network link-by-link basis.
- the MACsec SecTag 406 may include a MACsec Ethertype 422 configured to indicate the networking protocol encapsulated by the data packet 401 (e.g. MACsec, etc.).
- the MACsec Ethertype 422 may include the first two octets of the MACsec SecTag 406 .
- the MACsec SecTag 406 may include a TAG Control Information (TCI) portion 424 configured to control information detailing the structure and format of the MACsec SecTag 406 .
- TCI portion 424 may include one or more of: the version number of the MACsec protocol, a indication of the use (or lack thereof) of the optional the MAC Source Address parameter to convey the Secure Channel Identifier (SCI) portion 432 , a indication of the use (or lack thereof) of the optional explicitly encoded SCI, a indication of the use (or lack thereof) of other optional features, an indication of whether confidentiality or integrity alone are in use, etc.; although, it is understood that the above are merely a few illustrative examples to which the disclosed subject matter is not limited.
- the TCI portion 424 may include a sub-portion of the third octet (e.g., bits 8 through 3 ).
- the MACsec SecTag 406 may include an Association Number (AN) portion 426 .
- the AN portion 426 may include a number that may be concatenated with the Secure Channel Identifier (SCI) portion 432 to identify a Secure Association (SA).
- SA may include or identify a security relationship that provides security guarantees for packets or frames transmitted from one network device to the other network devices within the security relationship or association.
- the AN portion 426 may identify up to four different SAs within the context of a secure channel (SC).
- the AN portion 426 may be encoded as an integer the third octet of the MACsec SecTag 406 (e.g., bits 1 and 2 ).
- the MACsec SecTag 406 may include a Short Length (SL) portion 428 that is configured to indicate the length of the payload portion 408 .
- the SL portion 428 may include an integer value indicating the length in terms of octets.
- the SL portion 428 may be included as at least part of the fourth octet of the MACsec SecTag 406 . Bits 7 and 8 of octet 4 shall be zero.
- the MACsec SecTag 406 may include a packet number (PN) portion 430 that is configured to uniquely identify a MACsec frame or packet in the sequence of frames or packets transmitted employing an SA.
- PN portion 430 may be included as part octets five through eight of the MACsec SecTag 406 .
- the MACsec SecTag 406 may include a Secure Channel Identifier (SCI) portion 432 that is configured to provide a globally unique identifier for a secure channel.
- the SCI portion 432 may include substantially globally unique MAC Address and a Port Identifier, wherein “unique” means unique within the system allocated that address.
- the SCI portion 432 may be included as part of octets eight through sixteen of the MACsec SecTag 406 .
- a first portion 434 of the SCI 432 (e.g., six octets) may include a substantially globally unique MAC address associated with the transmitting network device.
- a second portion 436 of the SCI 432 (e.g., 2 octets) may be used or employed to encode the Port Identifier component of the SCI 432 , as an integer.
- a portion 440 of the SCI 432 may be employed or used to encode the role tag or a numeric identifier that substantially uniquely identifies the role or roles assigned to or associated with the source network device.
- this role tag portion 440 may be included as part or all of the port identifier portion 436 of the SCI 423 .
- the role tag 440 may be protected using MACsec-based link layer authentication, as described above.
- the role tag may comprise 12 bits.
- the PI 436 may include 16 bits of which 12 may be employed for the role tag 440 .
- communication amongst network devices may occur on network ports that are mapped to roles. For example, if a role tag value is “136”, communication from network devices assigned that role tag may occur via network port “136”; although, it is understood that the above is merely one illustrative example to which the disclosed subject matter is not limited.
- the role tag 440 may supplant the purpose of the PI portion 436 .
- the TCI 424 may be employed to indicate such a re-purposing of all or a portion of the SCI 432 .
- a portion of the SCI 432 itself may be employed to indicate the existence of the role tag portion 440 .
- the role tag 440 may be assigned through authentication (e.g., via the 892.1 AE protocol) to identify the role of the supplicant (e.g., user, client, etc.) accessing the network.
- roles may be created and stored in backend authentication server/directory server (e.g., authentication server 110 or database 112 of FIG. 1 or 2 ).
- the role tag 440 may be associated with user generated traffic, as described above.
- a virtual local area network (VLAN) header or tag may be employed to carry or indicate a role based authentication tag (e.g., role tag 440 ).
- a network device may not support or desire the use of the 892.1 AE standard.
- the VLAN data packet 403 may include a MAC destination address portion 402 , a MAC source address portion 404 , a payload portion 408 , and a VLAN header or tag 492 .
- the VLAN data packet 403 may also include some form of data integrity or error detection (e.g., FCS portion 412 , etc.).
- the VLAN header or tag 492 may include, for purposes of this matter, two portions.
- the VLAN header or tag 492 may include a VLAN identifier (ID) portion 496 and a second portion 494 .
- ID VLAN identifier
- the VLAN ID 496 may generally be configured to indicate the VLAN of which the data packet 403 is a part. However, in various embodiments, the VLAN ID 496 may be repurposed to include the role tag 440 or an indication thereof. In such an embodiment, the role tag value and VLAN ID value may be synonymous, similarly to the embodiment discussed above in which the network port ID and the role tag value where synonymous. In another embodiment, the VLAN ID portion 496 may simply be employed as a mule or carrier for the role tag 440 . It is understood that the above are merely a few illustrative examples to which the disclosed subject matter is not limited.
- the VLAN ID portion 496 may include 12 bits.
- the role tag 440 may be no larger than 12 bits allowing it to comfortably fit within either the VLAN ID portion 496 or the PI portion 436 , as described above.
- the role tag 440 may be larger but map-able to a value that fits within the VLAN ID portion 496 .
- the second portion 494 may be configured to include various other header information aside from the VLAN ID 496 .
- the exact details of the other header information portion 494 are generally not germane to the current matter.
- the other header information portion 494 may include a flag or version number, for example, that indicates the repurposing of the VLAN ID portion 496 or, in another embodiment, the existence of the role tag 440 .
- FIG. 3 is a block diagram of an example embodiment of a system 300 in accordance with the disclosed subject matter.
- FIG. 3 illustrates four embodiments of data transmission that may occur through or via the system 300 ; although, it is understood that the above are merely a few illustrative examples to which the disclosed subject matter is not limited.
- the system 300 may include a client or source network device 303 , two routing network devices (e.g., network device A 306 and network device B 306 b ), and a server or destination network device 314 .
- the routing network devices may include at least one ingress port (e.g., ingress ports 308 and 308 b ), at least one egress port (e.g., egress ports 312 and 312 b ), and a switching fabric (e.g., switching fabric 310 and 310 b ) configured to route data from the receiving ingress to the proper egress port for the data to continue its journey to the destination network device 314 .
- the ingress and egress ports may include a physical network layer (PHY) device or component configured to encode or decode the data as it is received or transmitted.
- PHY physical network layer
- the data packet or frame may traverse a number of “hops” or portions of the network where the data packet (or at least the payload portion thereof) is transferred from one device or component to another.
- a “hop” may include a network link from one network device to another (e.g., hops 351 , 354 , and 357 ).
- a “hop” may include a transfer from one component within a network device to another component within the same network device (e.g., hops 352 , 353 , 355 , 356 , and 358 ); where it is understood that a number modern routing network devices may be aggregated into acting as a single larger routing network device.
- Table 399 of FIG. 3 illustrates four different embodiments of data transmission that may occur through or via the system 300 ; although, it is understood that the above are merely a few illustrative examples to which the disclosed subject matter is not limited. Specifically, Table 399 illustrates how, in these four illustrative embodiments, portions of the data packet or frame may be inspected, removed, generated, or added by the transmitting device or component of each “hop”.
- all four of the network devices 304 , 306 , 306 b , and 314 of system 300 may support the MACsec protocol and the use or employment of the MACsec protocol to convey role based authentication via a role tag, as described above.
- the first embodiment also illustrates the link-to-link nature of the MACsec protocol and the removal and preservation of the role based authentication tag within a routing network device (e.g., network device A 306 , etc.) via the VLAN header.
- the client 304 may be authenticated via, for example, I.E.E.E. 802.1X standards and assigned a role before communication starts.
- the role information or identifier may become a role tag associated with user traffic.
- the role tag may be embedded or included as part of the SCI in SecTAQ as described above.
- the client 304 may transmit, via hop 351 , a data packet that includes a MAC destination address (DA) portion, a MAC source (SA) portion, a MACsec SecTag (ST) portion, a payload (P) portion, and an ICV portion, as described above.
- the data packet or frame may be received by an ingress port 308 .
- the network device 306 may be configured to determine if the received data packet includes a security tag that includes a role based authentication tag. If so, in one embodiment, the ingress port 308 or the PHY of the ingress port 308 may generate a VLAN header or tag (VT) that includes the role tag information originally included in the MACsec tag (ST), as described above. In some embodiments, the ST and ICV portions may be removed from the data packet, as dictated by the 892.1 AE standard.
- VT VLAN header or tag
- ST and ICV portions may be removed from the data packet, as dictated by the 892.1 AE standard.
- the ingress port 308 may transmit, via hop 352 , a data packet that includes a MAC destination address (DA) portion, a MAC source (SA) portion, a VLAN portion that includes a role tag (VT), and a payload (P) portion, as described above.
- This internal or VLAN-based data packet may be received and transmitted by the switching fabric 310 to the egress port 312 .
- the egress port 312 or the PHY thereof may determine if the received data packet includes a VLAN tag that includes a role based authentication tag. If so, in one embodiment, the egress port 312 or the PHY thereof may generate a MACsec tag (ST) that includes the role tag information previously included in the VLAN header or tag (VT), as described above. In various embodiments, the egress port 312 may also generate an ICV portion as dictated by the 892.1 AE standard.
- the egress port 312 may transmit, via hop 354 , a data packet that includes a MAC destination address (DA) portion, a MAC source (SA) portion, a MACsec SecTag (ST) portion, a payload (P) portion, and an ICV portion, as described above.
- DA MAC destination address
- SA MAC source
- ST MACsec SecTag
- P payload
- ICV ICV portion
- this process may continue through network device B 306 b and any intervening network devices (not shown) until the data is received by the server 314 .
- the network devices e.g., network device B 306 b , etc.
- the role tag may be protected as part of the MACsec frame, as described above.
- the server 314 or the PHY thereof may provide the server 314 with the role tag encoded within the MACsec SecTag (ST) and remove the MACsec SecTag (ST) and accompanying ICV portion.
- the server 314 may include or be configured to utilize an ACL based upon role tags.
- the role tag embedded in the SCI may be parsed as the key to lookup ACL database for policy control.
- three of the four the network devices 306 , 306 b , and 314 of system 300 may support the MACsec protocol and the use or employment of the MACsec protocol to convey role based authentication via a role tag, as described above.
- the client 304 may not be configured to support role based authentication via a role tag.
- the client 304 may be authenticated via I.E.E.E. 802.1X or 802.1 AF standards and assigned a role before communication starts. However, in various embodiments, the client 304 may not be configured to support or accept the assigned role based authentication. In such an embodiment, the client 304 may not be configured to transmit the assigned role via the data packet.
- the client 304 may transmit, via hop 351 , a data packet that includes a MAC destination address (DA) portion, a MAC source (SA) portion, and a payload (P) portion, as described above.
- DA MAC destination address
- SA MAC source
- P payload
- the data packet or frame may be received by an ingress port 308 .
- the network device 306 may be configured to determine if the received data packet includes a security tag that includes a role based authentication tag. If not, in one embodiment, the ingress port 308 or the PHY of the ingress port 308 may forward the data packet to the switching fabric 310 without modification (in regards to the role based authentication information).
- the network device A 306 or switching fabric 310 may be configured to assign a default role to data entering via the ingress port 308 or exiting via the egress port 312 .
- the role information or identifier may be transmitted to an access point (AP) (e.g., network device A 306 ).
- AP access point
- data packets originating (e.g., having a source address of, etc.) the client 304 may be encoded with the role-base authentication tag by the AP acting as a proxy for the client 304 .
- the switching fabric 310 may generate a VLAN header or tag (VT) that includes the role tag information assigned by default or by proxy, as described above.
- VT VLAN header or tag
- the egress sport 312 the ST and ICV portions may be removed from the data packet, as dictated by the 892.1 AE standard.
- the egress port 312 or the PHY thereof may determine if the received data packet via hop 353 includes a VLAN tag that includes a role based authentication tag. If so, in one embodiment, the egress port 312 or the PHY thereof may generate a MACsec tag (ST) that includes the role tag information previously included in the VLAN header or tag (VT), as described above. In various embodiments, the egress port 312 may also generate an ICV portion as dictated by the 892.1 AE standard.
- the egress port 312 may transmit, via hop 354 , a data packet that includes a MAC destination address (DA) portion, a MAC source (SA) portion, a MACsec SecTag (ST) portion, a payload (P) portion, and an ICV portion, as described above.
- DA MAC destination address
- SA MAC source
- ST MACsec SecTag
- P payload
- ICV ICV portion
- the process as described in relation to Embodiment #1 may continue through network device B 306 b and any intervening network devices (not shown) until the data is received by the server 314 .
- the server 314 or the PHY thereof may provide the server 314 with the role tag encoded within the MACsec SecTag (ST) and remove the MACsec SecTag (ST) and accompanying ICV portion.
- the third embodiment e.g. Embodiment #3
- only the final two of the four the network devices 306 b and 314 of system 300 may support the MACsec protocol and the use or employment of the MACsec protocol to convey role based authentication via a role tag, as described above.
- the client 304 and network device A 306 may not be configured to support role based authentication via a role tag.
- the third embodiment illustrates the possibility that other headers or tags (e.g., a VLAN forwarding tag) may be added to the data packet as it traverses the network.
- the client 304 may be authenticated and transmit, via hop 351 , a data packet that includes a MAC destination address (DA) portion, a MAC source (SA) portion, and a payload (P) portion, as described above.
- DA MAC destination address
- SA MAC source
- P payload
- the data packet or frame may be received by an ingress port 308 .
- the network device A 306 may add or attach an additional header to the data packet.
- a traditional VLAN header without any role-based authentication tag (VF) may be attached or added to the data packet for forwarding purposes.
- the egress port 312 may transmit, via hop 354 , a data packet that includes a MAC destination address (DA) portion, a MAC source (SA) portion, a forwarding VLAN header (VF), and a payload (P) portion, as described above.
- DA MAC destination address
- SA MAC source
- VF forwarding VLAN header
- P payload
- the data packet or frame may be received by an ingress port 308 b.
- the network device B 306 b may add or assign a default authentication role to the data packet (e.g., “low-level user”, “guest”, etc.) and forward the packet along, as described above.
- a default authentication role e.g., “low-level user”, “guest”, etc.
- the data packet may be received by the server 314 , where the default role or role assigned by the network device B 306 b may be extracted.
- the fourth embodiment again three of the four the network devices 306 a , 306 b , and 314 of system 300 may support the MACsec protocol and the use or employment of the MACsec protocol to convey role based authentication via a role tag, as described above.
- the client 304 may not be configured to support role based authentication via a role tag.
- the fourth embodiment illustrates the possibility that other headers or tags (e.g., a VLAN forwarding tag) may be added to the data packet as it traverses the network.
- the client 304 may be authenticated and transmit, via hop 351 , a data packet that includes a MAC destination address (DA) portion, a MAC source (SA) portion, and a payload (P) portion, as described above.
- DA MAC destination address
- SA MAC source
- P payload
- the data packet or frame may be received by an ingress port 308 .
- a role may be assigned by the network device A 306 , as described above in relation to the second embodiment. In such an embodiment, this may result in a MACsec SecTag (ST) that includes a role based authentication tag, as described above.
- ST MACsec SecTag
- the data packet or at least the payload (P) portion thereof may be transmitted to the server 315 , as described above.
- FIG. 5 is a flow chart of an example embodiment of a technique in accordance with the disclosed subject matter.
- the technique 500 may be used or produced by the systems such as those of FIG. 1 , 2 , or 3 .
- portions of technique 500 may be used or produced by a data packet such as those of FIG. 4 .
- FIG. 5 it is understood that the above are merely a few illustrative examples to which the disclosed subject matter is not limited.
- the disclosed subject matter is not limited to the ordering of or number of actions illustrated by technique 500 .
- Block 502 illustrates that, in one embodiment, a data packet may be received that includes a payload portion, a source network address and a destination network address, as described above.
- one or more of the action(s) illustrated by this Block may be performed by or related to the network devices 106 , 108 , 108 a , 114 , 114 a , or 114 b of FIG. 1 or 2 , the network devices 306 , 306 b , and 314 or ingress ports 308 or 308 b of FIG. 3 , or packets 401 or 403 of FIG. 4 , as described above.
- Block 504 illustrates that, in one embodiment, a determination may be made as to whether or not the data packet includes a security tag that includes a role based authentication tag, as described above.
- determining may include determining if the data packet includes a security tag that is substantially compatible with the I.E.E.E. 802.1 AE standard, as described above.
- determining may include determining if the role based authentication tag is included as a portion of a Secure Channel Identifier, as described above.
- determining may include determining if the security tag includes a VLAN header or tag that includes a role based authentication tag (e.g., a VLAN SecTag or Vsectag, etc.), as described above.
- a configuration bit may be set to configure the network device to determine the role tag by masking certain bits (e.g., the lower 12 bits) of the SCI when performing a comparison to the SCI in a SC entry table.
- another or the same configuration bit may be set to configure the network device to determine the role tag by employing the VID of a VLAN header as the role tag.
- one or more of the action(s) illustrated by this Block may be performed by or related to the network devices 106 , 108 , 108 a , 114 , 114 a , or 114 b of FIG. 1 or 2 , the network devices 306 , 306 b , and 314 or ingress ports 308 or 308 b of FIG. 3 , or packets 401 or 403 of FIG. 4 , as described above.
- Block 506 illustrates that, in one embodiment, if the data packet includes a security tag that includes a role based authentication tag, a virtual local area network (VLAN) tag may be generated that includes the role based authentication tag, as described above.
- generating may include placing the role based authentication tag within a VLAD identifier (ID) portion of the VLAN tag, as described above.
- ID VLAD identifier
- another or the same configuration bit may be set to configure the network device to write the predetermined bits (e.g., the lower 12 bits) of the SCI as the VLAN ID portion of the VLAN header or tag, as described above.
- one or more of the action(s) illustrated by this Block may be performed by or related to the network devices 106 , 108 , 108 a , 114 , 114 a , or 114 b of FIG. 1 or 2 , the network devices 306 , 306 b , and 314 or ingress ports 308 or 308 b of FIG. 3 , or packet 403 of FIG. 4 , as described above.
- Block 508 illustrates that, in one embodiment, the security tag may be disassociated or removed from the payload portion of the data packet, as described above.
- one or more of the action(s) illustrated by this Block may be performed by or related to the network devices 106 , 108 , 108 a , 114 , 114 a , or 114 b of FIG. 1 or 2 , the network devices 306 , 306 b , and 314 or ingress ports 308 or 308 b of FIG. 3 , or packets 401 or 403 of FIG. 4 , as described above.
- Block 510 illustrates that, in one embodiment, the VLAN header or tag may be associated, coupled with or added with the payload portion of the data packet, as described above.
- one or more of the action(s) illustrated by this Block may be performed by or related to the network devices 106 , 108 , 108 a , 114 , 114 a , or 114 b of FIG. 1 or 2 , the network devices 306 , 306 b , and 314 or ingress ports 308 or 308 b of FIG. 3 , or packets 401 or 403 of FIG. 4 , as described above.
- Block 512 illustrates that, in one embodiment, if the data packet does not include a security tag that includes a role based authentication tag, a predetermined role value may be assigned to the data packet, as described above.
- the predetermined role value may include a default role value.
- the predetermined role value may include a role value assigned or associated with the source network device by an authentication server or entity, as described above.
- one or more of the action(s) illustrated by this Block may be performed by or related to the network devices 106 , 108 , 108 a , 114 , 114 a , or 114 b of FIG. 1 or 2 , the network devices 306 , 306 b , and 314 or ingress ports 308 or 308 b of FIG. 3 , or packets 401 or 403 of FIG. 4 , as described above.
- Block 514 illustrates that, in one embodiment, a role based authentication tag may be generated that includes the predetermined role value, as described above.
- generating the role based authentication tag may include generating a MACsec SecTag, as described above.
- generating may include generating a VLAN header or tag, as described above.
- one or more of the action(s) illustrated by this Block may be performed by or related to the network devices 106 , 108 , 108 a , 114 , 114 a , or 114 b of FIG. 1 or 2 , the network devices 306 , 306 b , and 314 or ingress ports 308 or 308 b of FIG. 3 , or packets 401 or 403 of FIG. 4 , as described above.
- Block 516 illustrates that, in one embodiment, the role based authentication tag may be associated or coupled with the payload portion of the data packet, as described above.
- one or more of the action(s) illustrated by this Block may be performed by or related to the network devices 106 , 108 , 108 a , 114 , 114 a , or 114 b of FIG. 1 or 2 , the network devices 306 , 306 b , and 314 or ingress ports 308 or 308 b of FIG. 3 , or packets 401 or 403 of FIG. 4 , as described above.
- Block 518 illustrates that, in one embodiment, a network route or privileges may be determined based at least in part upon the role based authentication tag, as described above. In various embodiments, if the role based authentication tag does not indicate that the data packet or the sender thereof does not have sufficient privileges to access the destination address, the data packet may be dropped, discarded or otherwise made to not reach its intended destination. In another embodiment, one of a plurality of routes may be selected based upon the role based authentication tag. In various embodiments, one or more of the action(s) illustrated by this Block may be performed by or related to the network devices 106 , 108 , 108 a , 114 , 114 a , or 114 b of FIG. 1 or 2 , the network devices 306 , 306 b , and 314 or egress ports 312 or 312 b of FIG. 3 , or packets 401 or 403 of FIG. 4 , as described above.
- Block 520 illustrates that, in one embodiment, a determination may be made as to whether or not a next network device (along the network path to the destination address) is configured to support a data packet that includes a security tag that includes a role based authentication tag, as described above.
- a security tag that includes the role based authentication tag may be generated and associated with the payload portion of the data packet, as described above.
- a VLAN header or tag that includes the role based authentication tag may be generated and associated with the payload portion of the data packet, as described above.
- one of a plurality of routes may be selected based upon the role based authentication tag.
- one or more of the action(s) illustrated by this Block may be performed by or related to the network devices 106 , 108 , 108 a , 114 , 114 a , or 114 b of FIG. 1 or 2 , the network devices 306 , 306 b , and 314 or egress ports 312 or 312 b of FIG. 3 , or packets 401 or 403 of FIG. 4 , as described above.
- Block 522 illustrates that, in one embodiment, at least the payload portion and the role based authentication tag may be transmitted towards the destination network address, as described above.
- transmitting may include the actions of Block 520 , as described above.
- one or more of the action(s) illustrated by this Block may be performed by or related to the network devices 106 , 108 , 108 a , 114 , 114 a , or 114 b of FIG. 1 or 2 , the network devices 306 , 306 b , and 314 or egress ports 312 or 312 b of FIG. 3 , or packets 401 or 403 of FIG. 4 , as described above.
- Implementations of the various techniques described herein may be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. Implementations may be implemented as a computer program product, i.e., a computer program tangibly embodied in an information carrier, e.g. in a machine-readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g. a programmable processor, a computer, or multiple computers.
- data processing apparatus e.g. a programmable processor, a computer, or multiple computers.
- a computer program such as the computer program(s) described above, can be written in any form of programming language, including compiled or interpreted languages, and can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
- a computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
- Method steps may be performed by one or more programmable processors executing a computer program to perform functions by operating on input data and generating output. Method steps also may be performed by, and an apparatus may be implemented as, special purpose logic circuitry, e.g. an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
- FPGA field programmable gate array
- ASIC application-specific integrated circuit
- processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer.
- a processor will receive instructions and data from a read-only memory or a random access memory or both.
- Elements of a computer may include at least one processor for executing instructions and one or more memory devices for storing instructions and data.
- a computer also may include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks.
- Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, e.g. EPROM, EEPROM, and flash memory devices; magnetic disks, e.g. internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks.
- semiconductor memory devices e.g. EPROM, EEPROM, and flash memory devices
- magnetic disks e.g. internal hard disks or removable disks
- magneto-optical disks e.g. CD-ROM and DVD-ROM disks.
- the processor and the memory may be supplemented by, or incorporated in special purpose logic circuitry.
- implementations may be implemented on a computer having a display device, e.g. a cathode ray tube (CRT) or liquid crystal display (LCD) monitor, for displaying information to the user and a keyboard and a pointing device, e.g. a mouse or a trackball, by which the user can provide input to the computer.
- a display device e.g. a cathode ray tube (CRT) or liquid crystal display (LCD) monitor
- keyboard and a pointing device e.g. a mouse or a trackball
- Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g. visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input.
- Implementations may be implemented in a computing system that includes a back-end component, e.g. as a data server, or that includes a middleware component, e.g. an application server, or that includes a front-end component, e.g. a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation, or any combination of such back-end, middleware, or front-end components.
- Components may be interconnected by any form or medium of digital data communication, e.g. a communication network. Examples of communication networks include a local area network (LAN) and a wide area network (WAN), e.g. the Internet.
- LAN local area network
- WAN wide area network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
Description
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/463,204 US8700891B2 (en) | 2008-05-09 | 2009-05-08 | Preserving security association in MACsec protected network through VLAN mapping |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US5192108P | 2008-05-09 | 2008-05-09 | |
US12/463,204 US8700891B2 (en) | 2008-05-09 | 2009-05-08 | Preserving security association in MACsec protected network through VLAN mapping |
Publications (2)
Publication Number | Publication Date |
---|---|
US20090307751A1 US20090307751A1 (en) | 2009-12-10 |
US8700891B2 true US8700891B2 (en) | 2014-04-15 |
Family
ID=41401528
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/463,204 Active 2032-01-04 US8700891B2 (en) | 2008-05-09 | 2009-05-08 | Preserving security association in MACsec protected network through VLAN mapping |
Country Status (1)
Country | Link |
---|---|
US (1) | US8700891B2 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130064247A1 (en) * | 2010-05-24 | 2013-03-14 | Hangzhou H3C Technologies Co., Ltd. | Method and device for processing source role information |
US10108810B2 (en) * | 2015-02-13 | 2018-10-23 | Global Integrity, Inc. | System and method for secure document embedding |
US11218483B2 (en) * | 2015-10-13 | 2022-01-04 | Cisco Technology, Inc. | Hybrid cloud security groups |
Families Citing this family (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7729276B2 (en) * | 2006-11-29 | 2010-06-01 | Broadcom Corporation | Method and system for tunneling MACSec packets through non-MACSec nodes |
CN101378358B (en) * | 2008-09-19 | 2010-12-15 | 成都市华为赛门铁克科技有限公司 | Method, system and server for safety access control |
US9674892B1 (en) * | 2008-11-04 | 2017-06-06 | Aerohive Networks, Inc. | Exclusive preshared key authentication |
US9065736B2 (en) | 2009-06-08 | 2015-06-23 | Broadcom Corporation | Method and system for compensated time stamping for time-sensitive network communications |
US8295312B2 (en) * | 2009-06-08 | 2012-10-23 | Broadcom Corporation | Method and system for compensated time stamping for time-sensitive network communications |
US8719567B2 (en) * | 2009-10-14 | 2014-05-06 | Cisco Technology, Inc. | Enabling QoS for MACsec protected frames |
FR2955727B1 (en) * | 2010-01-26 | 2012-04-06 | Sagem Defense Securite | SECURE METHOD OF ACCESSING A NETWORK AND NETWORK THUS PROTECTED |
IN2012CN06918A (en) * | 2010-02-12 | 2015-05-29 | Tekelec Inc | |
US20130124546A1 (en) * | 2010-02-26 | 2013-05-16 | Adobe Systems, Inc. | Group access control for a distributed system |
US8966240B2 (en) * | 2011-10-05 | 2015-02-24 | Cisco Technology, Inc. | Enabling packet handling information in the clear for MACSEC protected frames |
CN108881018B (en) | 2012-06-11 | 2021-09-03 | 泰科来股份有限公司 | Methods, systems, and devices for routing DIAMETER messages at DIAMETER signaling routers |
US8971850B2 (en) | 2012-06-14 | 2015-03-03 | Motorola Solutions, Inc. | Systems and methods for authenticating mobile devices at an incident via collaboration |
US9948675B2 (en) * | 2013-04-04 | 2018-04-17 | The Mitre Corporation | Identity-based internet protocol networking |
US10382228B2 (en) * | 2014-06-26 | 2019-08-13 | Avago Technologies International Sales Pte. Limited | Protecting customer virtual local area network (VLAN) tag in carrier ethernet services |
WO2016072972A1 (en) * | 2014-11-04 | 2016-05-12 | Hewlett Packard Enterprise Development Lp | Bridge port extender |
US9769115B2 (en) | 2015-04-24 | 2017-09-19 | Fortinet, Inc. | DHCP agent assisted routing and access control |
EP3316528B1 (en) * | 2015-07-17 | 2021-06-30 | Huawei Technologies Co., Ltd. | Packet transmission method, apparatus and system |
US9967372B2 (en) | 2015-10-13 | 2018-05-08 | Cisco Technology, Inc. | Multi-hop WAN MACsec over IP |
US20190007302A1 (en) * | 2017-06-29 | 2019-01-03 | Cisco Technology, Inc. | Mechanism for Dual Active Detection Link Monitoring in Virtual Switching System with Hardware Accelerated Fast Hello |
CN109495431B (en) * | 2017-09-13 | 2021-04-20 | 华为技术有限公司 | Access control method, device and system and switch |
CN107528857A (en) * | 2017-09-28 | 2017-12-29 | 北京东土军悦科技有限公司 | A kind of authentication method based on port, interchanger and storage medium |
US11128663B2 (en) | 2018-10-16 | 2021-09-21 | Cisco Technology, Inc. | Synchronizing link and event detection mechanisms with a secure session associated with the link |
US10778662B2 (en) * | 2018-10-22 | 2020-09-15 | Cisco Technology, Inc. | Upstream approach for secure cryptography key distribution and management for multi-site data centers |
CN110061878A (en) * | 2019-04-24 | 2019-07-26 | 新华三技术有限公司 | A kind of channel failure processing method and processing device |
US11316869B2 (en) * | 2019-12-10 | 2022-04-26 | Cisco Technology, Inc. | Systems and methods for providing attestation of data integrity |
US12015642B2 (en) * | 2021-02-12 | 2024-06-18 | Keysight Technologies, Inc. | Methods, systems, and computer readable media for testing a network system under test communicating over a secure channel |
US20230089819A1 (en) * | 2021-09-22 | 2023-03-23 | Hewlett Packard Enterprise Development Lp | Source port-based identification of client role |
US11757777B2 (en) * | 2021-09-23 | 2023-09-12 | Hewlett Packard Enterprise Development Lp | Assigning security group tag for infrastructure traffic and preserving security group tag in snooped packets in dynamic segmentation |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040017816A1 (en) * | 2002-06-04 | 2004-01-29 | Prashanth Ishwar | Managing traffic in a multiport network node using logical ports |
US20040252722A1 (en) * | 2003-06-13 | 2004-12-16 | Samsung Electronics Co., Ltd. | Apparatus and method for implementing VLAN bridging and a VPN in a distributed architecture router |
US20050058132A1 (en) * | 2002-05-20 | 2005-03-17 | Fujitsu Limited | Network repeater apparatus, network repeater method and network repeater program |
US20060112431A1 (en) * | 2004-11-23 | 2006-05-25 | Finn Norman W | Method and system for including network security information in a frame |
US20060227773A1 (en) * | 2005-03-30 | 2006-10-12 | Karanvir Grewal | Authenticity of communications traffic |
US20070133791A1 (en) * | 2005-12-07 | 2007-06-14 | Electronics And Telecommunications Research Institute | Method for controlling security channel in MAC security network and terminal using the same |
US20080002724A1 (en) * | 2006-06-30 | 2008-01-03 | Karanvir Grewal | Method and apparatus for multiple generic exclusion offsets for security protocols |
US20080075073A1 (en) * | 2006-09-25 | 2008-03-27 | Swartz Troy A | Security encapsulation of ethernet frames |
US20080123652A1 (en) * | 2006-11-29 | 2008-05-29 | Bora Akyol | Method and system for tunneling macsec packets through non-macsec nodes |
US20080126559A1 (en) * | 2006-11-29 | 2008-05-29 | Uri Elzur | METHOD AND SYSTEM FOR SECURING A NETWORK UTILIZING IPSEC and MACSEC PROTOCOLS |
US20090217032A1 (en) * | 2006-09-06 | 2009-08-27 | Hongguang Guan | Method for generating sak, method for realizing mac security, and network device |
US20090276830A1 (en) * | 2008-04-30 | 2009-11-05 | Fujitsu Network Communications, Inc. | Facilitating Protection Of A Maintenance Entity Group |
US8000344B1 (en) * | 2005-12-20 | 2011-08-16 | Extreme Networks, Inc. | Methods, systems, and computer program products for transmitting and receiving layer 2 frames associated with different virtual local area networks (VLANs) over a secure layer 2 broadcast transport network |
-
2009
- 2009-05-08 US US12/463,204 patent/US8700891B2/en active Active
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050058132A1 (en) * | 2002-05-20 | 2005-03-17 | Fujitsu Limited | Network repeater apparatus, network repeater method and network repeater program |
US20040017816A1 (en) * | 2002-06-04 | 2004-01-29 | Prashanth Ishwar | Managing traffic in a multiport network node using logical ports |
US20040252722A1 (en) * | 2003-06-13 | 2004-12-16 | Samsung Electronics Co., Ltd. | Apparatus and method for implementing VLAN bridging and a VPN in a distributed architecture router |
US20060112431A1 (en) * | 2004-11-23 | 2006-05-25 | Finn Norman W | Method and system for including network security information in a frame |
US20060227773A1 (en) * | 2005-03-30 | 2006-10-12 | Karanvir Grewal | Authenticity of communications traffic |
US7724899B2 (en) * | 2005-12-07 | 2010-05-25 | Electronics And Telecommunications Research Insitute | Method for controlling security channel in MAC security network and terminal using the same |
US20070133791A1 (en) * | 2005-12-07 | 2007-06-14 | Electronics And Telecommunications Research Institute | Method for controlling security channel in MAC security network and terminal using the same |
US8000344B1 (en) * | 2005-12-20 | 2011-08-16 | Extreme Networks, Inc. | Methods, systems, and computer program products for transmitting and receiving layer 2 frames associated with different virtual local area networks (VLANs) over a secure layer 2 broadcast transport network |
US20080002724A1 (en) * | 2006-06-30 | 2008-01-03 | Karanvir Grewal | Method and apparatus for multiple generic exclusion offsets for security protocols |
US20090217032A1 (en) * | 2006-09-06 | 2009-08-27 | Hongguang Guan | Method for generating sak, method for realizing mac security, and network device |
US20080075073A1 (en) * | 2006-09-25 | 2008-03-27 | Swartz Troy A | Security encapsulation of ethernet frames |
US20080126559A1 (en) * | 2006-11-29 | 2008-05-29 | Uri Elzur | METHOD AND SYSTEM FOR SECURING A NETWORK UTILIZING IPSEC and MACSEC PROTOCOLS |
US20080123652A1 (en) * | 2006-11-29 | 2008-05-29 | Bora Akyol | Method and system for tunneling macsec packets through non-macsec nodes |
US20090276830A1 (en) * | 2008-04-30 | 2009-11-05 | Fujitsu Network Communications, Inc. | Facilitating Protection Of A Maintenance Entity Group |
Non-Patent Citations (5)
Title |
---|
"802.1X IEEE Standard for Local and Metorpolitan Area Networks", IEEE Std 802.1X-2004 (Revision of IEEE Std. 802. 1x-2001), Port-Based Network Access Control, IEEE Computer Society,179 pages. |
"IEEE 802.1AE", From Wikipedia.org (Retrieved on Apr. 14, 2009) Available at http://en.wikipedia.org/wii/MACsec. |
"IEEE 802.1Q", From Wikipedia.org, Web Page (Retrieved on Apr. 12, 2009) Available at http://en.wikipedia.org./wiki/IEEE-802.1Q. |
"IEEE Standard for Local and Metropolitan Area Networks", IEEE Std 802.1 AE-2006, Media Access Control (MAC) Security, IEEE Computer Society,(Aug. 18, 2006) 154 Pages. |
"IEEE Standard for Local and Metropolitan Area Networks", IEEE Std 802.IQ TM-2005, Virtual Bridged Local Area Networks, IEEE Computer Society-,(May 19, 2006),303 pages. |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130064247A1 (en) * | 2010-05-24 | 2013-03-14 | Hangzhou H3C Technologies Co., Ltd. | Method and device for processing source role information |
US9088437B2 (en) * | 2010-05-24 | 2015-07-21 | Hangzhou H3C Technologies Co., Ltd. | Method and device for processing source role information |
US10108810B2 (en) * | 2015-02-13 | 2018-10-23 | Global Integrity, Inc. | System and method for secure document embedding |
US11218483B2 (en) * | 2015-10-13 | 2022-01-04 | Cisco Technology, Inc. | Hybrid cloud security groups |
Also Published As
Publication number | Publication date |
---|---|
US20090307751A1 (en) | 2009-12-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8700891B2 (en) | Preserving security association in MACsec protected network through VLAN mapping | |
EP1690356B1 (en) | 802.1X authentication technique for share media | |
US9461975B2 (en) | Method and system for traffic engineering in secured networks | |
US10348686B2 (en) | Systems and methods for application-specific access to virtual private networks | |
Kent et al. | RFC 4301: Security architecture for the Internet protocol | |
CN107995052B (en) | Method and apparatus for common control protocol for wired and wireless nodes | |
US8161543B2 (en) | VLAN tunneling | |
US7840708B2 (en) | Method and system for the assignment of security group information using a proxy | |
US7814311B2 (en) | Role aware network security enforcement | |
WO2021197003A1 (en) | Boundary filtering method and device for srv6 trust domain | |
US20230090837A1 (en) | Securing access to network devices utilizing authentication and dynamically generated temporary firewall rules | |
US20120054358A1 (en) | Network Relay Device and Frame Relaying Control Method | |
US11910193B2 (en) | Methods and systems for segmenting computing devices in a network | |
US11431730B2 (en) | Systems and methods for extending authentication in IP packets | |
WO2023172764A2 (en) | Systems, and methods for secure remote multi-user lan access | |
US6915351B2 (en) | Community separation control in a closed multi-community node | |
CN115865389A (en) | Assigning security group tags to infrastructure traffic and saving security group tags in snoop packets in dynamic segments | |
KR20220039345A (en) | System and method for providing network separation service based on software-defined network | |
US11909819B1 (en) | Synchronization of client IP binding database across extended networks leveraging BGP control plane | |
US20240195795A1 (en) | Computer-implemented methods and systems for establishing and/or controlling network connectivity | |
Hon | Networking and IP addresses | |
Rivard et al. | CCNA Quick Reference Sheets (CCNA Exam 640-802) | |
StJohns et al. | Common architecture label IPv6 security option (CALIPSO) | |
Miller | Advanced Security Group Tags: The Detailed Walk Through |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: BROADCOM CORPORATION,CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LIN, MEG;BUER, MARK;ILYADIS, NICHOLAS;AND OTHERS;SIGNING DATES FROM 20090721 TO 20090817;REEL/FRAME:024242/0406 Owner name: BROADCOM CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LIN, MEG;BUER, MARK;ILYADIS, NICHOLAS;AND OTHERS;SIGNING DATES FROM 20090721 TO 20090817;REEL/FRAME:024242/0406 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, NORTH CAROLINA Free format text: PATENT SECURITY AGREEMENT;ASSIGNOR:BROADCOM CORPORATION;REEL/FRAME:037806/0001 Effective date: 20160201 Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, NORTH Free format text: PATENT SECURITY AGREEMENT;ASSIGNOR:BROADCOM CORPORATION;REEL/FRAME:037806/0001 Effective date: 20160201 |
|
AS | Assignment |
Owner name: AVAGO TECHNOLOGIES GENERAL IP (SINGAPORE) PTE. LTD., SINGAPORE Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BROADCOM CORPORATION;REEL/FRAME:041706/0001 Effective date: 20170120 Owner name: AVAGO TECHNOLOGIES GENERAL IP (SINGAPORE) PTE. LTD Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BROADCOM CORPORATION;REEL/FRAME:041706/0001 Effective date: 20170120 |
|
AS | Assignment |
Owner name: BROADCOM CORPORATION, CALIFORNIA Free format text: TERMINATION AND RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:BANK OF AMERICA, N.A., AS COLLATERAL AGENT;REEL/FRAME:041712/0001 Effective date: 20170119 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551) Year of fee payment: 4 |
|
AS | Assignment |
Owner name: AVAGO TECHNOLOGIES INTERNATIONAL SALES PTE. LIMITE Free format text: MERGER;ASSIGNOR:AVAGO TECHNOLOGIES GENERAL IP (SINGAPORE) PTE. LTD.;REEL/FRAME:047230/0910 Effective date: 20180509 |
|
AS | Assignment |
Owner name: AVAGO TECHNOLOGIES INTERNATIONAL SALES PTE. LIMITE Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE EFFECTIVE DATE OF THE MERGER PREVIOUSLY RECORDED AT REEL: 047230 FRAME: 0910. ASSIGNOR(S) HEREBY CONFIRMS THE MERGER;ASSIGNOR:AVAGO TECHNOLOGIES GENERAL IP (SINGAPORE) PTE. LTD.;REEL/FRAME:047351/0384 Effective date: 20180905 |
|
AS | Assignment |
Owner name: AVAGO TECHNOLOGIES INTERNATIONAL SALES PTE. LIMITE Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ERROR IN RECORDING THE MERGER IN THE INCORRECT US PATENT NO. 8,876,094 PREVIOUSLY RECORDED ON REEL 047351 FRAME 0384. ASSIGNOR(S) HEREBY CONFIRMS THE MERGER;ASSIGNOR:AVAGO TECHNOLOGIES GENERAL IP (SINGAPORE) PTE. LTD.;REEL/FRAME:049248/0558 Effective date: 20180905 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |